External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-08-06 00:43:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

virt-aa-helper: handle more disk images

Browse Source 
virt-aa-helper needs read access to the disk image to resolve symlinks
and add the proper rules to the profile. Its profile whitelists a few
common paths, but users can place their images anywhere.

This commit helps users allowing access to their images by adding their
own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper.

This commit also adds rules to allow reading files named:
  - *.raw as this is a rather common disk image extension
  - /run/libvirt/**[vd]d[a-z] as these are used by virt-sandbox
This commit is contained in:
Cédric Bosdonnat 2017-12-11 11:09:31 +01:00
parent 291f68b5da
commit 0f33025a43
2 changed files with 27 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
examples/Makefile.am
View File

@ -67,6 +67,9 @@ admin_client_info_SOURCES = admin/client_info.c
admin_client_close_SOURCES = admin/client_close.c admin_client_close_SOURCES = admin/client_close.c
admin_logging_SOURCES = admin/logging.c admin_logging_SOURCES = admin/logging.c
INSTALL_DATA_LOCAL =
UNINSTALL_LOCAL =
if WITH_APPARMOR_PROFILES if WITH_APPARMOR_PROFILES
apparmordir = $(sysconfdir)/apparmor.d/ apparmordir = $(sysconfdir)/apparmor.d/
apparmor_DATA = \ apparmor_DATA = \
@ -85,20 +88,37 @@ templates_DATA = \
apparmor/TEMPLATE.qemu \ apparmor/TEMPLATE.qemu \
apparmor/TEMPLATE.lxc \ apparmor/TEMPLATE.lxc \
$(NULL) $(NULL)
APPARMOR_LOCAL_DIR = "$(DESTDIR)$(apparmordir)/local"
install-apparmor-local:
$(MKDIR_P) "$(APPARMOR_LOCAL_DIR)"
echo "# Site-specific additions and overrides for \
'usr.lib.libvirt.virt-aa-helper'" \
>$(APPARMOR_LOCAL_DIR)/usr.lib.libvirt.virt-aa-helper
INSTALL_DATA_LOCAL += install-apparmor-local
UNINSTALL_LOCAL += uninstall-apparmor-local
endif WITH_APPARMOR_PROFILES endif WITH_APPARMOR_PROFILES
if WITH_NWFILTER if WITH_NWFILTER
NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter" NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
install-data-local: install-nwfilter-local:
$(MKDIR_P) "$(NWFILTER_DIR)" $(MKDIR_P) "$(NWFILTER_DIR)"
for f in $(FILTERS); do \ for f in $(FILTERS); do \
$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \ $(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
done done
uninstall-local:: uninstall-nwfilter-local::
for f in $(FILTERS); do \ for f in $(FILTERS); do \
rm -f "$(NWFILTER_DIR)/`basename $$f`"; \ rm -f "$(NWFILTER_DIR)/`basename $$f`"; \
done done
-test -z "$(shell ls $(NWFILTER_DIR))" || rmdir $(NWFILTER_DIR) -test -z "$(shell ls $(NWFILTER_DIR))" || rmdir $(NWFILTER_DIR)
INSTALL_DATA_LOCAL += install-nwfilter-local
UNINSTALL_LOCAL += uninstall-nwfilter-local
endif WITH_NWFILTER endif WITH_NWFILTER
install-data-local: $(INSTALL_DATA_LOCAL)
uninstall-local: $(UNINSTALL_LOCAL)

5
examples/apparmor/usr.lib.libvirt.virt-aa-helper
View File

@ -50,11 +50,16 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
/var/lib/libvirt/images/ r, /var/lib/libvirt/images/ r,
/var/lib/libvirt/images/** r, /var/lib/libvirt/images/** r,
/{media,mnt,opt,srv}/** r, /{media,mnt,opt,srv}/** r,
# For virt-sandbox
/run/libvirt/**/[sv]d[a-z] r
/**.img r, /**.img r,
/**.raw r,
/**.qcow{,2} r, /**.qcow{,2} r,
/**.qed r, /**.qed r,
/**.vmdk r, /**.vmdk r,
/**.[iI][sS][oO] r, /**.[iI][sS][oO] r,
/**/disk{,.*} r, /**/disk{,.*} r,
#include <local/usr.lib.libvirt.virt-aa-helper>
} }